Good Cyber Security intentions for 2023 or Cyber Security measures required by law?

NIS2, the new Cybersecurity Law.

The NIS2 (Network and Information Systems) Directive was adopted in November 2022 as the new European Cybersecurity Directive and mandates several things that organisations must comply with to keep cybercriminals out. Not heard of it yet? Perhaps a good thing to read on! Because the NIS2 also includes administrative responsibility and liability for natural persons.

Legislation by mid-2024!

Like the European GDPR for privacy legislation, the European NIS2 also becomes mandatory legislation for the organisations listed below. The GDPR has become the AVG in the Netherlands, the NIS2 also has a Dutch name, the NIB2 (Network and Information Security Directive). As Dutch legislation, it will have to be implemented in the second half (September) of 2024 (21 months after adoption). Incidentally, this applies to all 27 European member states.

The "2" comes from the fact that the NIS already existed, namely since 2016. Out of this NIS(1), the WBNI, Network and Information Systems Security Act, emerged in 2018, which imposed a legal notification obligation and security measures on digital service providers (DSP) and the essential services provider (AED), such as electricity companies and drinking water providers. Incidentally, the DSP and AED are no longer mentioned in the NIS2.

Recent years have shown that many organisations did not sufficiently take the so-called "basic measures" also mentioned by the National Cyber Security Centre (https://www.ncsc.nl/onderwerpen/basismaatregelen ). Many organisations turned out to be vulnerable to cyber attacks. Many times, many more organisations were affected than just the organisation that was itself targeted, so the impact was often huge. The NIS2 should strengthen cyber resilience by raising security levels and enforcing the adoption of "basic measures" to prevent cyber attacks and reduce their impact.

The NIS2 is not only a substantive update of the NIS, so it will now also be a local Dutch law (NIB2) and also in all other EU member states. In addition, a major change is the scope. Whereas before it was mainly focused on the aforementioned DSPs and AEDs, mostly large organisations that are essential for critical infrastructure, now it is also going to affect organisations that are important for this and organisation that supply them. In addition, size no longer matters. So it is very possible that your organisation could be covered by NIS2. It is assumed that around 160,000 organisations in Europe are covered by the NIS2 and around 4,500 organisations in the Netherlands.

In addition, the NIS2 will also ensure that collaborative efforts are made within sectors and EU member states to increase and accelerate incident reporting.

To whom does it apply?

The NIS2 covers organisations that have business activities falling under the 'essential activities' in the following key essential sectors:

• Energy
• Transport
• Banking
• Infrastructure Financial market
• Healthcare
• Drinking (waste) water supply
• Digital infrastructure
• ICT services management (B2B)
• Government
• Aerospace

This now includes organisations offering key activities such as:

• Providers of social networking platforms
• Ancillary providers of digital infrastructure services (such as providers of public electronic communication networks and services)
• Providers of ICT service management
• Government services
• Postal and courier services
• Manufacture, production and distribution of chemicals
• Entities involved in the production, processing and distribution of food products
• Certain manufacturers (e.g. of medical equipment, IT or electronic components, machinery, motor vehicles or other means of transport
• Pharmaceutical companies
• Research institutions
• Waste management

If you are a service provider in respect of these activities and have more than 50 employees and a turnover of more than 10 million, then you are covered by the NIS2. But the NIS2 applies to the entire chain. So if you are doing business with any of these organisations, then you will also fall under the NIS2 or requirements will be placed on you and this fact, in particular, will affect many organisations!

Government enforcement and fines

As mentioned in the introduction, EU Member States will translate the NIS2 into local legislation and this should be in place by early 2024 (which is soon). Member States will cooperate more closely among themselves and with the EU and should set up one or more Computer Security Incident Response Teams. In the Netherlands, a number of these CSIRTS are already active for certain groups.

Failure to comply with the NIS2 could result in fines of as much as 2% of global turnover, with a maximum of €10 million. The process will be different from the GDPR-AVG, as there the process only goes into effect after a data breach. With the NIS2, it will also be possible to be audited upon suspicion of a data breach or random audits can also be carried out. It should be noted that essential entities will be under full supervision. For important entities, supervision will be ex-post. With the NIS2, by the way, there is administrative responsibility and liability! 

It remains to be seen who will carry out enforcement and how. There are some rumors going around that this might fall to the Telecom Agency. This regulator has been renamed Rijksinspectie Digitale Infrastructuur (RDI for short) with effect from 1-1-2023, so perhaps there is a connection with this.

What do I need to comply with?

• Depending on whether your organisation falls under essential or major activities, you will have to comply with a number of requirements. It becomes important to embed risk management as a process and, as a result, risk analyses and risk treatments will have to be carried out. 
• It is mandatory to register security incidents if they impact availability, integrity or confidentiality and also the authenticity of data. As with a data breach under the AVG, these should be reported within 72 hours. And even within 24 hours if availability has been compromised and a full incident report should be submitted within a month. Furthermore, business continuity, backup management, disaster recovery, and crisis management measures will have to be taken.
• Supplier & supply chain security in relation to suppliers and service providers;
• General cybersecurity security measures and training (see list below)

If you do business with one of these organisations that provide essential and important activities, you will also need to have the general security measures business in order. After all, it is obvious that these organisations also impose requirements on suppliers to demonstrate that the minimum basic measures have been taken that they themselves must also comply with. After all, the NIS2 sets security requirements for the chain, so the list below (partly based on the NCSC's basic security requirements) is an excellent basis:

• Taking basic cybersecurity measures and training.
• Guidelines and procedures for the use of encryption.
• Access security, Asset Management, and HR security
• Ensure that each application and system generates sufficient log information and takes proper inventory.
• Apply multifactor authentication where necessary
• Determine who has access to your data and services
• Segment networks
• Encrypt storage media containing sensitive business information
• Check which devices and services are accessible from the internet and protect them
• Back up and test your systems regularly
• Install software updates
• Avoid viruses and other malware
• Inventory vulnerabilities by performing regular risk assessments and vulnerability scans.

Demonstrability is important, ISO 27001 certification? Or in some other way?

There are no NIS2 certifications (yet). In practice, many essential providers and key activity providers will want to demonstrate NIS2 compliance. Given their supply chain responsibilities, they will in turn also require their suppliers to make this demonstrable. A standard like ISO 27001 for information security is expected to be used more often for this purpose. After all, most issues mentioned in the NIS2 as measures are also addressed in this standard and in terms of demonstrability, this standard will be an easy route to NIS2 demonstrability. As a supplier in the chain, it will become a lot easier to continue doing business with essential providers and providers of key activities.

Getting started quickly with NIS2 implementation and compliance.

With our integrated CyberManager management systems ISMS, PIMS, CSMS and BCMS (for information security, privacy, cybersecurity, and business continuity), we offer both SMEs, and large organisations a solution to implement and manage the aforementioned issues in a scalable manner. Whether you are a provider of essential or key activities under the NIS2 or a supplier with slightly different requirements, there is always a suitable subscription for the NIS2 and, for example, the ISO 27001 standard. 

In CyberManager, an NIS2 dashboard is available linked to the measures mentioned in this article, allowing you to first focus on the NIS2 requirements and demonstrate compliance of these. You can also use the same measures as well as additional measures for implementing ISO 27001. This allows you to implement NIS2 step by step, as well as the ISO 27001 standard.

The CyberManager ISMS software offers standard risk management functionality, registration and handling of security incidents, data breaches, vulnerabilities or other workflows including e-mail notifications to those affected as well as privacy management via the PIMS. In addition, an integrable e-learning management system is available so that Risk Awareness training can be provided and you can manage your Business Continuity Assessments and Planning via the Business Continuity Management System. As indicated earlier, dashboards for NIS2, as well as ISO 27001, are available. 

Organisations that also use standards such as NIST CSF, CSIR/BIACS, IEC 62443 or, for example, the CIS controls for both an ISMS or OT-Security can also control them via the CyberManager management systems ISMS or CSMS.

To know more, contact us here or through our partners. Click here to learn more about our CyberManager ISMS, CSMS, PIMS, and BCMS solutions.

Source:

The NIS2 can be found here in several languages

https://eur-lex.europa.eu/eli/dir/2022/2555/oj

https://www.europarl.europa.eu/doceo/document/TA-9-2022-0383_EN.pdf

https://www.europarl.europa.eu/news/en/press-room/20221107IPR49608/cybersecurity-parliament-adopts-new-law-to-strengthen-eu-wide-resilience 

https://www.ncsc.nl/onderwerpen/basismaatregelen